From owner-freebsd-security Wed Jun 26 19:50: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 84FFE37B401 for ; Wed, 26 Jun 2002 19:49:58 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id AF45A4A8F; Wed, 26 Jun 2002 21:49:57 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g5R2nvr02222; Wed, 26 Jun 2002 21:49:57 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 26 Jun 2002 21:49:57 -0500 From: D J Hawkey Jr To: Steve Ames Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020626214957.A2165@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627022949.GA55324@energistic.com>; from steve@energistic.com on Wed, Jun 26, 2002 at 09:29:49PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 26, at 09:29 PM, Steve Ames wrote: > > On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: > > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: > > > > > > hawkeyd@visi.com (D J Hawkey Jr) writes: > > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer > > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" > > > > is "That does appear to be the case.". > > > > > > 2.9 is not vulnerable to this particular attack. > > > > That's as simple as it gets. Thanks. > > That "particular attack"... yep. The CERT advisory seemed to indicate > that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... See below for some observations. For brevity's sake, I've snipped irrelevant text. > -Steve > > > CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response > Handling > > [SNIP] > > III. Solution > > [SNIP] > > Disable challenge response authentication > > For OpenSSH versions greater than 2.9, system administrators can > disable the vulnerable portion of the code by setting the > "ChallengeResponseAuthentication" configuration option to "no" in > their sshd configuration file. Typically, this is accomplished by > adding the following line to /etc/ssh/sshd_config: > > ChallengeResponseAuthentication no This I did when I enabled SSH. Seems a mis-match on this between clients and servers can go a little weird. > Disable PAM authentication via interactive keyboard > > For OpenSSH versions greater than 2.9, system administrators can > disable the vulnerable portion of the code affecting the PAM > authentication issue by setting the "PAMAuthenticationViaKbdInt" > configuration option to "no" in their sshd configuration file. > Typically, this is accomplished by adding the following line to > /etc/ssh/sshd_config: > > PAMAuthenticationViaKbdInt no No such animal with the OpenSSH version in RELENG_4_5. > Disable both options in older versions of OpenSSH > > For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators > will instead need to set the following options in their ssh > configuration file: > > KbdInteractiveAuthentication no > ChallengeResponseAuthentication no The first doesn't exist in the the OpenSSH version in RELENG_4_5. Would I be naive - or stupid - in assuming that those features that aren't even implemented cannot be vulnerable? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message